<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Tomcat 安全配置完全指南</title>
    <link href="https://cdn.staticfile.org/font-awesome/6.4.0/css/all.min.css" rel="stylesheet">
    <link href="https://cdn.staticfile.org/tailwindcss/2.2.19/tailwind.min.css" rel="stylesheet">
    <link href="https://fonts.googleapis.com/css2?family=Noto+Serif+SC:wght@400;500;600;700&family=Noto+Sans+SC:wght@300;400;500;700&display=swap" rel="stylesheet">
    <script src="https://cdn.jsdelivr.net/npm/mermaid@latest/dist/mermaid.min.js"></script>
    <style>
        body {
            font-family: 'Noto Sans SC', Tahoma, Arial, Roboto, "Droid Sans", "Helvetica Neue", "Droid Sans Fallback", "Heiti SC", "Hiragino Sans GB", Simsun, sans-serif;
            background: linear-gradient(135deg, #f5f7fa 0%, #c3cfe2 100%);
            min-height: 100vh;
        }
        
        .hero-gradient {
            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
        }
        
        .card-hover {
            transition: all 0.3s ease;
            border: 1px solid transparent;
        }
        
        .card-hover:hover {
            transform: translateY(-5px);
            box-shadow: 0 20px 40px rgba(0,0,0,0.1);
            border-color: #667eea;
        }
        
        .code-block {
            background: #1e1e1e;
            color: #d4d4d4;
            border-radius: 8px;
            overflow-x: auto;
            position: relative;
        }
        
        .code-block::before {
            content: attr(data-lang);
            position: absolute;
            top: 8px;
            right: 12px;
            font-size: 12px;
            color: #858585;
            text-transform: uppercase;
        }
        
        .section-number {
            display: inline-flex;
            align-items: center;
            justify-content: center;
            width: 40px;
            height: 40px;
            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
            color: white;
            border-radius: 50%;
            font-weight: bold;
            margin-right: 12px;
        }
        
        .highlight-box {
            background: linear-gradient(135deg, #f093fb 0%, #f5576c 100%);
            color: white;
            padding: 20px;
            border-radius: 12px;
            margin: 20px 0;
        }
        
        .security-icon {
            font-size: 48px;
            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
            -webkit-background-clip: text;
            -webkit-text-fill-color: transparent;
        }
        
        @keyframes float {
            0% { transform: translateY(0px); }
            50% { transform: translateY(-10px); }
            100% { transform: translateY(0px); }
        }
        
        .float-animation {
            animation: float 3s ease-in-out infinite;
        }
        
        .first-letter::first-letter {
            font-size: 3em;
            font-weight: 700;
            float: left;
            line-height: 1;
            margin-right: 8px;
            color: #667eea;
            font-family: 'Noto Serif SC', serif;
        }
    </style>
</head>
<body>
    <!-- Hero Section -->
    <div class="hero-gradient text-white py-20">
        <div class="container mx-auto px-6 text-center">
            <div class="float-animation inline-block mb-6">
                <i class="fas fa-shield-alt text-6xl"></i>
            </div>
            <h1 class="text-5xl font-bold mb-4">Tomcat 安全配置完全指南</h1>
            <p class="text-xl opacity-90 max-w-3xl mx-auto">
                构建坚不可摧的 Web 应用防线，从基础配置到高级防护策略的全方位安全实践
            </p>
        </div>
    </div>

    <!-- Main Content -->
    <div class="container mx-auto px-6 py-12">
        <!-- Introduction -->
        <div class="bg-white rounded-xl shadow-lg p-8 mb-8">
            <p class="text-lg leading-relaxed text-gray-700 first-letter">
                配置 Tomcat 的安全性是确保 Web 应用和服务器安全的关键步骤。Tomcat 作为一个常用的 Java Servlet 容器，可能会面临各种安全威胁，如未经授权的访问、数据泄露、服务拒绝攻击等。本指南将带您深入了解如何构建一个安全可靠的 Tomcat 服务器环境。
            </p>
        </div>

        <!-- Security Overview Diagram -->
        <div class="bg-white rounded-xl shadow-lg p-8 mb-8">
            <h2 class="text-2xl font-bold mb-6 text-gray-800">
                <i class="fas fa-network-wired text-purple-600 mr-3"></i>
                Tomcat 安全架构概览
            </h2>
            <div class="mermaid">
                graph TB
                    A[Tomcat 安全配置] --> B[基础安全设置]
                    A --> C[Web 应用保护]
                    A --> D[漏洞防护]
                    A --> E[监控审计]
                    A --> F[更新维护]
                    
                    B --> B1[修改默认端口]
                    B --> B2[禁用管理应用]
                    B --> B3[强密码策略]
                    
                    C --> C1[HTTPS 配置]
                    C --> C2[安全头设置]
                    C --> C3[身份认证授权]
                    
                    D --> D1[SQL 注入防护]
                    D --> D2[XSS 防护]
                    D --> D3[CSRF 防护]
                    D --> D4[Clickjacking 防护]
                    
                    E --> E1[访问日志]
                    E --> E2[异常监控]
                    
                    F --> F1[定期更新]
                    F --> F2[安全审计]
                    
                    style A fill:#667eea,stroke:#fff,stroke-width:3px,color:#fff
                    style B fill:#f093fb,stroke:#fff,stroke-width:2px,color:#fff
                    style C fill:#f093fb,stroke:#fff,stroke-width:2px,color:#fff
                    style D fill:#f093fb,stroke:#fff,stroke-width:2px,color:#fff
                    style E fill:#f093fb,stroke:#fff,stroke-width:2px,color:#fff
                    style F fill:#f093fb,stroke:#fff,stroke-width:2px,color:#fff
            </div>
        </div>

        <!-- Section 1: 安全配置基础 -->
        <div class="bg-white rounded-xl shadow-lg p-8 mb-8 card-hover">
            <h2 class="text-3xl font-bold mb-6 flex items-center">
                <span class="section-number">1</span>
                安全配置基础
            </h2>
            
            <div class="grid md:grid-cols-2 gap-6">
                <div class="bg-gray-50 rounded-lg p-6">
                    <h3 class="text-xl font-semibold mb-4 text-purple-700">
                        <i class="fas fa-exchange-alt mr-2"></i>
                        1.1 修改默认设置
                    </h3>
                    
                    <div class="mb-6">
                        <h4 class="font-semibold text-lg mb-3">
                            <i class="fas fa-port mr-2 text-purple-500"></i>
                            更改默认端口
                        </h4>
                        <p class="text-gray-600 mb-3">默认情况下，Tomcat 使用 8080 端口。通过修改 <code class="bg-purple-100 px-2 py-1 rounded">conf/server.xml</code> 文件中的 Connector 元素来更改端口，以减少被攻击的风险。</p>
                        <div class="code-block p-4" data-lang="xml">
                            <pre><code>&lt;Connector port="8180" protocol="HTTP/1.1" ... /&gt;</code></pre>
                        </div>
                    </div>
                    
                    <div>
                        <h4 class="font-semibold text-lg mb-3">
                            <i class="fas fa-ban mr-2 text-red-500"></i>
                            禁用管理和主机管理应用
                        </h4>
                        <p class="text-gray-600 mb-3">Tomcat 默认安装了管理控制台和主机管理应用。可以通过编辑配置文件来禁用这些应用。</p>
                        <div class="code-block p-4" data-lang="xml">
                            <pre><code>&lt;!-- 禁用 Manager 和 Host Manager --&gt;
&lt;Context path="/manager" docBase="${catalina.home}/webapps/manager" privileged="true" /&gt;
&lt;Context path="/host-manager" docBase="${catalina.home}/webapps/host-manager" privileged="true" /&gt;</code></pre>
                        </div>
                    </div>
                </div>
                
                <div class="bg-gray-50 rounded-lg p-6">
                    <h3 class="text-xl font-semibold mb-4 text-purple-700">
                        <i class="fas fa-cog mr-2"></i>
                        1.2 配置安全性参数
                    </h3>
                    
                    <div>
                        <h4 class="font-semibold text-lg mb-3">
                            <i class="fas fa-key mr-2 text-green-500"></i>
                            配置强密码策略
                        </h4>
                        <p class="text-gray-600 mb-3">修改 <code class="bg-purple-100 px-2 py-1 rounded">conf/tomcat-users.xml</code> 文件，确保使用强密码，并限制用户权限。</p>
                        <div class="code-block p-4" data-lang="xml">
                            <pre><code>&lt;tomcat-users&gt;
    &lt;role rolename="manager-gui"/&gt;
    &lt;role rolename="admin-gui"/&gt;
    &lt;user username="admin" password="strongpassword" roles="manager-gui,admin-gui"/&gt;
&lt;/tomcat-users&gt;</code></pre>
                        </div>
                    </div>
                    
                    <div class="highlight-box mt-6">
                        <i class="fas fa-lightbulb mr-2"></i>
                        <strong>安全提示：</strong>使用至少12位包含大小写字母、数字和特殊字符的密码，并定期更换。
                    </div>
                </div>
            </div>
        </div>

        <!-- Section 2: 保护 Web 应用 -->
        <div class="bg-white rounded-xl shadow-lg p-8 mb-8 card-hover">
            <h2 class="text-3xl font-bold mb-6 flex items-center">
                <span class="section-number">2</span>
                保护 Web 应用
            </h2>
            
            <div class="mb-8">
                <h3 class="text-xl font-semibold mb-4 text-purple-700">
                    <i class="fas fa-shield-alt mr-2"></i>
                    2.1 配置 Web 应用的安全性
                </h3>
                
                <div class="grid md:grid-cols-2 gap-6">
                    <div>
                        <h4 class="font-semibold text-lg mb-3">
                            <i class="fas fa-header mr-2 text-blue-500"></i>
                            设置安全头
                        </h4>
                        <p class="text-gray-600 mb-3">在 <code class="bg-purple-100 px-2 py-1 rounded">WEB-INF/web.xml</code> 文件中配置安全头以防止 XSS 和 Clickjacking 攻击。</p>
                        <div class="code-block p-4" data-lang="xml">
                            <pre><code>&lt;filter&gt;
    &lt;filter-name&gt;SecurityHeaders&lt;/filter-name&gt;
    &lt;filter-class&gt;org.apache.catalina.filters.AddDefaultHeadersFilter&lt;/filter-class&gt;
    &lt;init-param&gt;
        &lt;param-name&gt;headerName&lt;/param-name&gt;
        &lt;param-value&gt;X-Content-Type-Options: nosniff&lt;/param-value&gt;
    &lt;/init-param&gt;
&lt;/filter&gt;</code></pre>
                        </div>
                    </div>
                    
                    <div>
                        <h4 class="font-semibold text-lg mb-3">
                            <i class="fas fa-lock mr-2 text-green-500"></i>
                            使用 HTTPS
                        </h4>
                        <p class="text-gray-600 mb-3">强制使用 HTTPS 以确保数据传输加密。</p>
                        <div class="code-block p-4" data-lang="xml">
                            <pre><code>&lt;Connector port="8443" protocol="HTTP/1.1"
           maxThreads="150" SSLEnabled="true"
           scheme="https" secure="true" 
           clientAuth="false" sslProtocol="TLS"/&gt;</code></pre>
                        </div>
                    </div>
                </div>
            </div>
            
            <div>
                <h3 class="text-xl font-semibold mb-4 text-purple-700">
                    <i class="fas fa-user-shield mr-2"></i>
                    2.2 进行身份验证和授权
                </h3>
                
                <div class="bg-gray-50 rounded-lg p-6">
                    <h4 class="font-semibold text-lg mb-3">配置身份